Well, you may be arguing about the trust line as much as you want, but the one that Windows security model is actually based upon is not on the list that you have presented. Out of listed choices, the one that gets most close to it is option (a). It can be described as “everything running under the same logon session is, basically, a common property”.
Look at the Windows process model - it seems to be just specifically designed to allow a program A to subvert a program B as long as they run under the same logon session. Multiple threads running in multiple address spaces have unlimited access to one another so that they can kill, suspend, resume, and change execution context of one another; they can modify other address spaces pretty much the same way they modify their own ones so that they can create threads, as well as modify and allocate memory in other address spaces; countless modules that may come from various sources may be hosted in the same address space.
Again, figuratively speaking, the logon session is a building with numerous apartments that have no locks on their front doors. Therefore, if some naive resident brings in some guest with malicious intentions,
this malicious guest can wreak such a havoc that even clean system reinstall would not help. However, you seem to be justifying such a model by impossibility of designing a 100% reliable burglar-prevention system anyway…
Anton Bassov